Bug#217386: marked as done (libc6: ld.so allows execution of programs on noexec mounts)

To: Daniel Jacobowitz <dan@debian.org>
Cc: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Subject: Bug#217386: marked as done (libc6: ld.so allows execution of programs on noexec mounts)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 24 Oct 2003 10:03:27 -0500
Message-id: <[🔎] handler.217386.D217386.10670076505741.ackdone@bugs.debian.org>
In-reply-to: <20031024150047.GA26072@nevyn.them.org>
References: <20031024150047.GA26072@nevyn.them.org> <[🔎] 20031024101854.6B705103C07@nukunuku.yamamaya.is-a-geek.org>

Your message dated Fri, 24 Oct 2003 11:00:47 -0400
with message-id <20031024150047.GA26072@nevyn.them.org>
and subject line Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Oct 2003 10:19:28 +0000
>From ranma@gmx.at Fri Oct 24 05:19:28 2003
Return-path: <ranma@gmx.at>
Received: from mailout06.sul.t-online.com [194.25.134.19] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1ACz2V-0002be-00; Fri, 24 Oct 2003 05:19:27 -0500
Received: from fwd04.aul.t-online.de 
	by mailout06.sul.t-online.com with smtp 
	id 1ACz2V-0003gp-01; Fri, 24 Oct 2003 12:19:27 +0200
Received: from nukunuku.yamamaya.is-a-geek.org (ZBmLW0ZBoeVjUjPnOD8qyxYpnzVo96cGExnm1MDHcDWBVfg5J+d2E0@[217.81.57.16]) by fmrl04.sul.t-online.com
	with esmtp id 1ACz2A-1W1tsu0; Fri, 24 Oct 2003 12:19:06 +0200
Received: from localhost (localhost [127.0.0.1])
	by nukunuku.yamamaya.is-a-geek.org (Postfix) with ESMTP id 46C11103C08
	for <submit@bugs.debian.org>; Fri, 24 Oct 2003 12:18:58 +0200 (CEST)
Received: from melchior.yamamaya.is-a-geek.org (melchior.yamamaya.is-a-geek.org [192.168.8.241])
	by nukunuku.yamamaya.is-a-geek.org (Postfix) with SMTP
	id 6B705103C07; Fri, 24 Oct 2003 12:18:54 +0200 (CEST)
Received: by melchior.yamamaya.is-a-geek.org (sSMTP sendmail emulation); Fri, 24 Oct 2003 12:18:54 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Tobias Diedrich <ranma@gmx.at>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: ld.so allows execution of programs on noexec mounts
X-Mailer: reportbug 2.35
Date: Fri, 24 Oct 2003 12:18:54 +0200
Message-Id: <[🔎] 20031024101854.6B705103C07@nukunuku.yamamaya.is-a-geek.org>
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at yamamaya.is-a-geek.org
X-Seen: false
X-ID: ZBmLW0ZBoeVjUjPnOD8qyxYpnzVo96cGExnm1MDHcDWBVfg5J+d2E0@t-dialin.net
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0
	tests=BAYES_20,HAS_PACKAGE
	version=2.53-bugs.debian.org_2003_10_21
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_21 (1.174.2.15-2003-03-30-exp)

Package: libc6
Version: 2.3.2-8
Severity: normal
Tags: security,upstream

Using ld.so one can execute programs on noexec mounts, which renders
noexec useless:

melchior:/boot# mount -o remount,noexec /boot
melchior:/boot# cp /bin/bash .
melchior:/boot# sed -i -e 's/Software/Saftware/g' ./bash
melchior:/boot# /lib/ld-2.3.2.so /boot/bash  --version
GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
Copyright (C) 2002 Free Saftware Foundation, Inc.

Appearently this is known since 1999, see:
http://sources.redhat.com/ml/libc-alpha/2000-09/msg00071.html

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux melchior 2.4.22 #15 Wed Oct 15 00:35:05 CEST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages libc6 depends on:
ii  libdb1-compat                 2.1.3-7    The Berkeley database routines [gl

-- no debconf information


---------------------------------------
Received: (at 217386-done) by bugs.debian.org; 24 Oct 2003 15:00:50 +0000
>From drow@crack.them.org Fri Oct 24 10:00:48 2003
Return-path: <drow@crack.them.org>
Received: from nevyn.them.org [66.93.172.17] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AD3Qm-0001UF-00; Fri, 24 Oct 2003 10:00:48 -0500
Received: from drow by nevyn.them.org with local (Exim 4.24 #1 (Debian))
	id 1AD3Ql-0006ol-An; Fri, 24 Oct 2003 11:00:47 -0400
Date: Fri, 24 Oct 2003 11:00:47 -0400
From: Daniel Jacobowitz <dan@debian.org>
To: Tobias Diedrich <ranma@gmx.at>, 217386-done@bugs.debian.org
Subject: Re: Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
Message-ID: <20031024150047.GA26072@nevyn.them.org>
References: <[🔎] 20031024101854.6B705103C07@nukunuku.yamamaya.is-a-geek.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20031024101854.6B705103C07@nukunuku.yamamaya.is-a-geek.org>
User-Agent: Mutt/1.5.1i
Delivered-To: 217386-done@bugs.debian.org
X-Spam-Status: No, hits=-5.7 required=4.0
	tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
	version=2.53-bugs.debian.org_2003_10_21
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_21 (1.174.2.15-2003-03-30-exp)

On Fri, Oct 24, 2003 at 12:18:54PM +0200, Tobias Diedrich wrote:
> Package: libc6
> Version: 2.3.2-8
> Severity: normal
> Tags: security,upstream
> 
> Using ld.so one can execute programs on noexec mounts, which renders
> noexec useless:
> 
> melchior:/boot# mount -o remount,noexec /boot
> melchior:/boot# cp /bin/bash .
> melchior:/boot# sed -i -e 's/Software/Saftware/g' ./bash
> melchior:/boot# /lib/ld-2.3.2.so /boot/bash  --version
> GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
> Copyright (C) 2002 Free Saftware Foundation, Inc.
> 
> Appearently this is known since 1999, see:
> http://sources.redhat.com/ml/libc-alpha/2000-09/msg00071.html

And it's not considered a bug since at least 2000, either.  Ulrich's
response was quite clear, and ths has been discussed on linux-kernel a
few times.  If they can't run programs you can't give them a writeable
directory and that's all there is to it.

I know of at least three other ways to make code on a noexec partition
run: LD_LIBRARY_PATH, LD_PRELOAD, and the combination of GDB and a lot
of patience.  You could probably do it with elisp in emacs.  You could
almost certainly do it with Perl, Python, or anything else that loads
dynamic modules.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

Reply to:

References:
- Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
  - From: Tobias Diedrich <ranma@gmx.at>

Prev by Date: Bug#217355: locales: uninstallable package
Next by Date: Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
Previous by thread: Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
Next by thread: Bug#217386: libc6: ld.so allows execution of programs on noexec mounts
Index(es):
- Date
- Thread